WinInformant Says Windows More Secure Than Linux 935
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
but which were more severe? (Score:4, Interesting)
Statistics.... (Score:2, Interesting)
Let's keep in mind that Linux users who find bugs or issues are far more likely to report them, document them, publicize them, and share them.
Microsoft users who finds bugs call Microsoft tech support, who informs them politely that it's a feature, and lets the issue be stored deep in their databases somewhere.
This is not an issue of who has more issues, but whose issues get reported and publicized more.
Lousy research (Score:3, Interesting)
Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows.
Badly researched piece.
/Janne
The more accurate question (Score:5, Interesting)
1. How severe is the hole if exploited.
Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.
2. How easy to exploit is the whole.
Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.
These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.
Break it down.. (Score:3, Interesting)
2. Activeness - The common issues reported for Windows deployments are almost universally in use and actively being exploited BEFORE the report. Most *ix vulnerabilities are not being actively exploited (and definitely at a lower level of activity), and are generally patched to resolve the issue FAR quicker.
3. Openness - "Linux" has no control over the release of bug reports. Microsoft on the other hand, does, to a degree. They can actively "persue" the matter and encourage the bug reporter to remain quiet about it until they can respond. In some cases for MONTHS even for well established bug hunters like eEye, on very large vulnerabilities like UPNP.
In closing, there are lies, damned lies, and statistics. Sure, you can put whatever spin you want on it, and I think I have in this posting.
ONE thing needs to be clear, there are alot of bugs, and having many eyes isnt preventing them from happening on Linux.
No matter where you sit, its justification to yet again work diligently to reduce the number of potential bugs by secure programming techniques.
sircam, code red, nimda (Score:2, Interesting)
Some explanations??? (Score:5, Interesting)
I wonder how they decided what is "more secure", but my guess is that it's based on the number of reported exploits/bugs.
Does anyone know if they used any weighting on the types of exploits/bugs. I would consider a remotely exploitable bug to be much worse than a locally exploitable bug as you can't control people that aren't on your box as well as the people that are. I would consider a root/administrator access bug to be worse than a denial of service type bug.
So, given a weighting scheme of
Remote Root = 4
Remote Denial of Service = 3
Local Root = 2
Local Denial of Service = 1
How would the different OSes stack up?
My guess is that without even taking number of installations into account you would find that Microsoft was at least as bad as the various Linux/Unix versions. I'm not going to say that they were worse.
Anyone want to do some analysis on the same information given a weighting scheme and see what the differences are?
Z.
Re:This, of course, will be ignored and ridiculed (Score:2, Interesting)
Wait a sec... (Score:5, Interesting)
2. Sheer number of vulnerabilities mean nothing - are they counting the severity of the vulnerabilities?
3. Are they counting the time it took before A) someone discovered the vulnerability and B) a patch was issued?
4. If there are comparable numbers of linux vs. win2k servers out there, which actually had more break-ins? (This question not valid if there is a wide gap in numbers since then the lower of the two probably benefits from that "security through obscurity").
5. I think having full source code availability leads to people actually FINDING the bugs, whereas Windows could have way more, but we don't know about them unless people are actually TRYING to crack the system (as opposed to finding them working on source or whatever).
Bogus statistics (Score:3, Interesting)
I'm sure it was an honest mistake that most Linux bugs were counted multiple times.
But I don't buy into the "bug count" argument anyway. It's a lot like that controversy over the "most decorated US veteran" (Hacksworth?) - a lot of people think that you can have a warehouse full of bronze stars and distinguished service medals and it's all scrap metal next to a single Congressional Medal of Honor (post.).
What was the last remote root exploit for a widely used Unix service? What about local exploit for a widely used Unix application?
Now ask the same thing about Microsoft.
Finally, "NTBugTraq" may be respected but that doesn't mean it never publishes crap -- sometimes for the purpose of shooting it down. I've seen this happen on comp.risks and elsewhere.
Re:This, of course, will be ignored and ridiculed (Score:2, Interesting)
Re:Actually, to be fair... (Score:5, Interesting)
There are FAR fewer holes in W2K than people would like to admit. IE may have some problems but not the base OS. Even IIS has been tighted up a great deal.
People need to understand something, we know MS almost never get's it right the first time (see version 1.00 bug) and may not the second but eventually they do. OK, they sucked at security to begin but with all those resources and the pressure from the top and from outside - did you really think they'd sit still or get worse? Nope - ask Netscape what happens when you become their focus of attention. Tux comes out and smokes IIS 5 and everyone laughs... according to the results of my beta tests with IIS6, we'll see who's laughing when it's publically benched.
Your lesson is: MS learns. It's almost never right the first time but... it learns.
Re:This, of course, will be ignored and ridiculed (Score:2, Interesting)
Worst Distribution has Less than W2k (Score:3, Interesting)
What is the Linux (aggr.) anyway? The individual distribution numbers don't add up to that aggregate total. Does bugtraq not even know the Linux distros?
Re:Not being a Windows apologist (Score:5, Interesting)
Contrast this with a typical RedHat install. Sure, you can elect to not install a ton of stuff, but the dependencies can and will drive you nuts if you need widget-1.12-i386.rpm, which conflicts with Perl, glibc, and about ten thousand other things you don't want to fool with. Then couple that with the overwhelmingly nonexistent or conflicting/out-of-date documentation that is (isn't?) available for some Linux modules, and you're reduced to playing Sherlock Holmes again. And what do you do when the HOWTO doesn't answer your question? Posting in a newsgroup results in about 50% of the responses being "read the HOWTO you fucking l00ser", 40% being wrong/misinformed/don't-know-either responses, and only 10% being useful and helpful.
What both Windows and Linux need is a "Secure" install option that by default has nearly everything turned OFF, and then a simple way to add/enable functionality as needed. Templates for webservers, DNS, FTP, mail servers, and such would be great, and they should keep pace with patches and updates for the OS and related applications. Why no one has bother to do this is beyond me, but I think this laziness has resulted in 90% of the exploits seen in ALL OS's on the web.
Re:Actually, to be fair... (Score:2, Interesting)
Ok, if you tell me how to install W2K without IE, I would even accept this argument.
Even IIS has been tighted up a great deal.
You mean it is a lot less insecure now than it used to be?
BTW, are "user gains access he shouldn't have" really considered on an W2K system? The majority of "linux" bugs seem to be of this type (symlink attack allowing to read some log file or something). Since W2K is still basically a single user system, I would imagine these are not taken to seriously.
Re:Why is this automatically false? (Score:3, Interesting)
Linux DOES have this - there are various and sundry programs which will scan your code for you - even kernel code. And if you don't want to rely on the programmer, there are libraries available for Linux which prevent a number of these holes - automatically.
My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP
Of all the boxes I've had to monitor, only a disused Windows box has ever been compromised. I am constantly bombarded with virii and worm attacks from compromised Windows boxes; most of the Linux boxes "attacking" my network are owned by the hackers.
I'd stand by my Linux install just as soon as I'd stand by any Windows box I've had a hand in hardening.
Re:Lousy research (Score:3, Interesting)
Anyway, what I found interesting is that Redhat faires so badly - about as bad as Win2k, and about twice as bad as any other Linux distribution. If SuSE has only 21 tracked bugs, and comes with a lot of software (7 CDs now, I think) is Redhat with 54 entries doing something wrong?
Re:This, of course, will be ignored and ridiculed (Score:3, Interesting)
I'm still a little unclear on what you mean by "unique bugs." So if there's a glibc vulnerability in all distributions, it gets counted only once in the aggregate?
If so, I'll consider the numbers a little less suspect.
Thanks in advance.
Re:Actually, to be fair... (Score:3, Interesting)
EXACTLY!!!!!! Sorry you cant count any BIND holes on linux. Or any sendmail, ssh,telnet,ftp,etc...
so after removing all holes that are for software that runs on the OS, linux has what 1 maybe 2?
This is why I pitch a royal bitch about most certification and security analyses... they are testing things that are not a part of the CORE OS. and therefore are meking everything a mess.
Let't take NT4.0 and a slackware linux with packages A and N installed. no software other than what the base os allows. (no ftp, not BIND, no sendmail, no servers of any kind.)
then let's look at the holes... the number of problems on both sides will dwindle to almost nothing. with NT losing because of the silly run all services as the system account bungle.
if you were to apply a daemon mindset to Nt, and able to run most of the services as a almost-no-access user, over 1/2 the trouble would evaporate.
Re:Statistics.... count the bugs in fixpacks too (Score:3, Interesting)
>
> This is not an issue of who has more issues, but whose issues get reported and publicized more.
>
Well said. The best defense to this FUD I've seen so far. Be sure that there are 100's of Microsoft employees who's only job is to figure out holes in the Linux model such that it makes Windows look better. There was the re-surgence of communism and the GPL cracks the foundation of our economy to name 2 off the top of my head.
The Microsoft model is to hide the bugs because it makes the product "look" more flawed. Having flown the BSOD flag over Redmond for the last few years shows they NEED to hide the bugs because perception is that the product IS FLAWED. Now the flag is SECURITY and they need to hide the bugs again.... Linux and opensource on the other hand, project reliability and security through openness. So like always, Microsoft uses manipulated statistics to ATTEMPT to show Windows is better. Remember in 1995 when NT sould 100% explosive growth of NT?....
Your one-liner blows the thousands of dollars spent on that report right out of the water. IMHO.
LoB
Re:This, of course, will be ignored and ridiculed (Score:3, Interesting)
while Windows is generally limited to relatively standard installations
I once got my hands on the oem installation kit and read through the licensing and instructions. Although I didn't understand everything, one thing I did understand is the OEMs, with a few very minor exceptions, must do a default install. They are prohibited, for instance, from removing or disabling IIS. I bet that'll make a big difference in the exploitablity of any bug and hence security.
Calibration of Counting (Score:4, Interesting)
For any measurement to be meaningful, a mechanism of calibration must exist. In the context of counting software defects of any type, some questions immediately arise:
1. Severity: is there a threshold for including a bug in the count. Is it the same across systems? EG: do each count "privacy bugs"?
2. Scope of measurement: are the measurements made for comparable functionality of code. EG: If "MS Backoffice" is tallied separately to WinNT is this an apples-to-apples comparison to a linux disto?
3. Timing: does each measurement count vulnerabilities at the same point in the identification process? EG: Do "theoretical" bugs with no known exploit count? Do bugs in beta versions of particular applications count?
4. Completeness: are all vulnerabilities reported? are separable vulnerabilities reported separately? EG: if MS internally ID's a bug and fixes it, does it remain secret or will it make its way into the tally? Can three separate bugs be counted as only 1 because the details are kept hidden?
I believe that linux distros include a lot more functionality, have a higher standard on what constitutes a bug, report bugs early and visibly, and fix bugs much earlier in the vulnerability lifecycle. Every one of these traits would penalize a linux distro on a defect count metric.
Reported defect counts are generally a lousy measure of quality, because they drive bad behavior: they can be decreased by lowering the quality of identification process instead of improving the quality of the product. Moreover, to draw conclusions about overall system security, I would be more interested in the aggregate lifetime-until-patch of known working exploits.
Re:Less because MS doesnt tell (Score:3, Interesting)
Open, maybe. Willing to change, rarely. Just look at the recent code rift between pre-release forks and the slowly growing consensus that Linux isn't up to the task. Something as simple as a paging system has to be debated endlessly (in the meantime, having different systems with different potential vulnerabilities). We may not be able to look at the MS code, but we can be pretty sure what doesn't work on one machine shouldn't work on another.
Re:This, of course, will be ignored and ridiculed (Score:3, Interesting)
This ignores so much... (Score:4, Interesting)
Now consider exploitability. Let's take Mandrake for example -- although their figures are already way lower than NT's (or, no doubt, 95/98/ME's), a default install includes 'libsafe', which means that none of the buffer overflows or format bug exploits will work. There go 3/4 of the theoretical vulnerabilities, including the ones which haven't been discovered yet. And a libsafe rpm could be installed on almost any Linux system in a matter of seconds without breaking anything, making the whole raw tally concept very questionable.
The only way to secure an MS system that broadly and quickly is to cut the Ethernet cable.
I leave my Linux box on the Internet without worry, and my investment in security has been maybe an hour and $0.00. I can and do take my time on patches because I know that almost none of the bugs have any chance of being exploited on my system. That is a realistic measure of Linux security, and I will delightedly compare it to Windows any day of the week. Securityfocus' figures, taken by themselves, don't mean anything.
Glass half full... (Score:5, Interesting)
A more scientific aproach (Score:3, Interesting)
1- let's stablish what's a windows OS and what's a Linux OS (and the nots too)
1.1 Windows 3.1 is NOT an operational system. is a graphic user interface (GUI) for DOS. let's assume win 95/98/me and NT 3.5/4.0/2000/XP are OSes.
1.2 Linux is NOT an OS. Is a KERNEL. the combination between Linux and GNU OS makes the operational system we know as GNU/Linux
2 Let's determine the minimum instalation of each one that's capable of doing usefull work, including user tasks such as reading e-mail and browsing the web and server tasks such as serving web pages, sharing files, routing e-mail, et al.
2.1 Both in Windows and GNU/Linux you'll have to select all the packages neccessary to the proposed tasks using the minimum ofered by the standard install CD. If the CD doesn't ofer some of the functionalities they must be downloaded from the manufacturer's site.
2.2.1 for windows you'll keep only:
- networking drivers;
- the standard MS file sharing;
- Internet Explorer;
- Outlook express/MS mail;
- IIS/personal web server
- Exchange server;
2.2.1 For GNU/Linux:
- Network modules and associated tools;
- NFS or Samba;
- Mutt os pine (remember, in GNU/Linux you can read e-mail/browse from command line, so XFree is not installed);
- Lynx or Links
- Apache;
- Sendmail;
3 count the number of security holes in the test systems, including:
- vulnerabilities to e-mail virii;
- vulnerabilities to malicious web-pages;
- remote exploits that grant root/administrator access;
- local exploits that grant root/administrator access;
- holes that allows an atacker to succesfully launch a DoS atack, freezing the machine;
- unauthorized read and/or write access to files;
- any other vulnerability you can think of;
In a test like this who do you think'll win ? please post your comments.
Re:Less because MS doesnt tell (Score:2, Interesting)
I guess I can take you up on two points
1. Paging debates: Yes, I agree it seems that there has been a lot of talk about it, but it has been out in the open AND the potential vulnerabilities are well known AND if you need security you cant Beat the stable debian kernel 2.2, which I geuss is another way of saying that you Know Very Well that you can have can have problems as you are told up front
2, We are talking about Pre-Release forks here (which i geuss is part of point 1) and we are talking about MS releaseing Release canidates, but know about Huge Security Holes like the plug and play
No?
Thanks
Thurrott (Score:2, Interesting)
Oh yeah. (Score:3, Interesting)
Why not try this.
With any of the following IPs, type 'smbclient -L 207.88.220.61'
If you're more of a cracker than I am, you might then try smbclient
and just hit return when prompted for a password.
this also works with:
203.228.232.188
203.231.119.70
203.231.166.49
203.233.20.86
203.231.216.208
203.199.54.26
203.231.217.5
203.231.122.227
203.244.13.72
and countless others.
These machines (all Win2K) have their entire filesystems exposed over the internet, and are promiscuously advertising their presence because they are infected by a virus that leaves a clear trail in the logs of any web server they attempt to infect.
These machines are engaged in abuse of my web services, and I hold Microsoft at least partly responsible for this situation.
Presumably the virus itself is responsible for opening their shares with guest access, but maybe it's M$'s lame out-of-the-box security.
If your machine's IP is on this (small fragment of my) list of machines banned from accessing my web server due to virus infection, then i suggest you replace your hopelessly insecure OS with a decent one.
I was incredulous when i analysed my web-servers logfiles and found the sheer number of virus-infected hosts, all Windows NT and 2000, and most of which were sharing the entire contents of their hard-drives over the public internet.
I know Windows can be secure as the admin is competent, but the ease with which it's security is breached through Outlook/IE is breathtaking.
The idea that Windows is somehow more secure than Linux/UNIX is laughable to me.
Its Paul Thurrot. Don't expect logic. (Score:4, Interesting)
What the fuck? According to WHAT kind of logic is DNS not mission critical? If it its not critical, let's take those DNS servers offline (both Microsoft's and WinInfo's) and see how long either MS or Thurrot last.
Re:The more accurate question (Score:2, Interesting)
It happens all the time around here so, yes, accusing Slashdot of hypocrisy is most often also correct on an individual user basis.
Comment on Article with Caution! (Score:2, Interesting)
I wanted to comment on the article (I still think it's some sort of joke) and use of I.E. (X), Mozilla (X), iCab (X), WannaBe (9), Mozilla (9), and iCab (9) all crashed on the "add comment link."
Well, at least it was a good exercise in net-non-compatibility and the non-coder who wrote the html for that pop up window you get clearly knows what he's doing.....coding html exclusively for a Windoze world.
My experience matched that :-( (Score:3, Interesting)
Later I upgraded Kenny to a recent Redhat release, either 7.1 or maybe 7.2, running in a medium-security configuration. I didn't notice any problems after that - whatever the popular security holes were had been patched or they were in services I hadn't turned on. I had some other serious problems with those distributions - basically they're not made to be installed on small machines unless you do one big partition or a lot of hand-tuning, and you can't netinstall from a single CDROM drive any more, so you'd better have at least one machine with a lot of disk space. But the security was much improved.
By the way, a couple of the intrusion detection techniques I used were:
Has anybody read the article? (Score:1, Interesting)
According to the beginning Bugtrack statements, the WinInfo article is completely backwards. I quote:
There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.
This means that all of the Outlook and Internet Explorer vunerabilities are not included in the Win 2000 numbers, but appearently, any Sendmail, Apache, or Modzilla numbers are included with Linux.
Unless I am reading this wrong, the article is not comparing apples to apples, and shows that there are about as many bugs in the Win 2000 kernel as there are in all of Linuxdom!
Re:Waste of time? (Score:1, Interesting)
This is a good article. It's controversial, only because it goes against the grain of the normal
What you're asking me to do is against my viewpoint. I'd prefer to read every discussion raw and uncut, and make my decision based on what I see. Not what the
But, that's just me.
(Trying to stay outta trouble. Hand slaps hurt, folks.)